V modern\u00edm prost\u0159ed\u00ed hrozeb se ransomware vyvinul z oportunistick\u00e9ho \u0161ifrov\u00e1n\u00ed na vysoce c\u00edlen\u00e9 kampan\u011b s v\u00edcen\u00e1sobn\u00fdm vyd\u00edr\u00e1n\u00edm. Pokro\u010dil\u00e9 trval\u00e9 hrozby (APT) a syndik\u00e1ty ransomwaru nyn\u00ed b\u011bhem doby sv\u00e9ho p\u016fsoben\u00ed v s\u00edti aktivn\u011b vyhled\u00e1vaj\u00ed z\u00e1lohovac\u00ed infrastrukturu a datab\u00e1zov\u00e9 archivy. Pokud \u00fato\u010dn\u00edk kompromituje va\u0161i prim\u00e1rn\u00ed datab\u00e1zi a z\u00e1rove\u0148 sma\u017ee nebo za\u0161ifruje va\u0161e z\u00e1lohovac\u00ed \u00falo\u017ei\u0161t\u011b, \u010del\u00ed va\u0161e organizace katastrof\u00e1ln\u00ed ztr\u00e1t\u011b dat.<\/p>\n
Pro datab\u00e1zov\u00e9 administr\u00e1tory (DBA) a DevOps in\u017een\u00fdry ji\u017e tradi\u010dn\u00ed strategie z\u00e1lohov\u00e1n\u00ed 3-2-1 nesta\u010d\u00ed. Aby byla zaru\u010dena p\u0159e\u017eitelnost dat, mus\u00ed t\u00fdmy infrastruktury p\u0159ijmout pravidlo 3-2-1-1, kde posledn\u00ed \u201e1\u201c p\u0159edstavuje nem\u011bnn\u00e9 (imutable) \u00falo\u017ei\u0161t\u011b<\/strong>.<\/p>\n Tento \u010dl\u00e1nek poskytuje komplexn\u00ed technick\u00fd vhled do n\u00e1vrhu, implementace a spr\u00e1vy nem\u011bnn\u00e9ho \u00falo\u017ei\u0161t\u011b pro datab\u00e1zov\u00e9 archivy, aby byla zaji\u0161t\u011bna absolutn\u00ed odolnost v\u016f\u010di ransomwaru.<\/p>\n Nem\u011bnn\u00e9 \u00falo\u017ei\u0161t\u011b spol\u00e9h\u00e1 na architekturu WORM (Write-Once-Read-Many \u2013 jednou zapi\u0161, mnohokr\u00e1t \u010dti). Jakmile jsou data zaps\u00e1na do nem\u011bnn\u00e9ho c\u00edle, nemohou b\u00fdt upravena, za\u0161ifrov\u00e1na ani smaz\u00e1na \u017e\u00e1dn\u00fdm u\u017eivatelem \u2013 v\u010detn\u011b administr\u00e1tor\u016f s pr\u00e1vy root nebo kompromitovan\u00fdch servisn\u00edch \u00fa\u010dt\u016f \u2013 dokud nevypr\u0161\u00ed matematicky vynucen\u00fd \u010dasov\u00fd z\u00e1mek.<\/p>\n P\u0159i implementaci nem\u011bnnosti, zejm\u00e9na v cloudov\u00fdch objektov\u00fdch \u00falo\u017ei\u0161t\u00edch, jako jsou AWS S3, Azure Blob nebo S3 kompatibiln\u00ed on-premises SAN, mus\u00edte rozum\u011bt rozd\u00edlu mezi re\u017eimy uchov\u00e1v\u00e1n\u00ed:<\/p>\n Robustn\u00ed architektura archivace datab\u00e1z\u00ed odd\u011bluje aktivn\u00ed datab\u00e1zov\u00e9 operace od nem\u011bnn\u00e9 archiva\u010dn\u00ed vrstvy. Nem\u011bnnost nelze aplikovat na aktivn\u00ed datab\u00e1zov\u00e9 soubory (jako M\u00edsto toho se nem\u011bnnost aplikuje na: Nem\u011bnn\u00e9 \u00falo\u017ei\u0161t\u011b m\u016f\u017eete implementovat nap\u0159\u00ed\u010d r\u016fzn\u00fdmi vrstvami infrastruktury: Pro ochranu datab\u00e1zov\u00fdch dump\u016f a transak\u010dn\u00edch log\u016f v AWS mus\u00edte povolit Object Lock ji\u017e p\u0159i vytv\u00e1\u0159en\u00ed bucketu.<\/p>\n Nejprve vytvo\u0159te bucket s povolen\u00fdm Object Lockem:<\/p>\n Pot\u00e9 nakonfigurujte v\u00fdchoz\u00ed reten\u010dn\u00ed politiku. Pro datab\u00e1zov\u00e9 archivy je 30denn\u00ed z\u00e1mek v re\u017eimu shody standardn\u00edm z\u00e1kladem, kter\u00fd zaji\u0161\u0165uje, \u017ee m\u00e1te m\u011bs\u00edc nem\u011bnn\u00fdch z\u00e1loh.<\/p>\n Kdy\u017e v\u00e1\u0161 skript pro z\u00e1lohov\u00e1n\u00ed datab\u00e1ze nebo agent nahraje soubor do tohoto bucketu, S3 automaticky vypo\u010d\u00edt\u00e1 Pokud archivujete datab\u00e1ze na on-premises linuxov\u00fd z\u00e1lohovac\u00ed server, m\u016f\u017eete dos\u00e1hnout pseudo-nem\u011bnnosti pomoc\u00ed p\u0159\u00edkazu Pou\u017eit\u00ed Linux Pozn\u00e1mka: I kdy\u017e Pou\u017eit\u00ed ZFS snapshot\u016f:<\/strong> Pro dosa\u017een\u00ed obnovy k ur\u010dit\u00e9mu bodu v \u010dase (PITR) mus\u00edte kontinu\u00e1ln\u011b archivovat transak\u010dn\u00ed logy do sv\u00e9ho nem\u011bnn\u00e9ho \u00falo\u017ei\u0161t\u011b.<\/p>\n Ve va\u0161em Kl\u00ed\u010dov\u00e9 upozorn\u011bn\u00ed:<\/em> Pokud v\u00e1\u0161 S3 bucket vynucuje 30denn\u00ed z\u00e1mek v re\u017eimu shody, ale SQL Server podporuje nativn\u00ed z\u00e1lohov\u00e1n\u00ed p\u0159\u00edmo do S3 kompatibiln\u00edho objektov\u00e9ho \u00falo\u017ei\u0161t\u011b. M\u016f\u017eete nakonfigurovat \u00falohu SQL Server Agenta tak, aby zapisovala soubory Spr\u00e1va p\u0159\u00edznak\u016f nem\u011bnn\u00e9 retence, rotace p\u0159\u00edstupov\u00fdch kl\u00ed\u010d\u016f a zaji\u0161t\u011bn\u00ed synchronizace mezi reten\u010dn\u00edmi politikami datab\u00e1ze a z\u00e1mky \u00falo\u017ei\u0161t\u011b pomoc\u00ed vlastn\u00edch skript\u016f je vysoce n\u00e1chyln\u00e1 k chyb\u00e1m. Jedin\u00e1 chybn\u00e1 konfigurace v cron jobu nebo vol\u00e1n\u00ed API m\u016f\u017ee nechat va\u0161e archivy nechr\u00e1n\u011bn\u00e9 nebo v\u00e9st k raketov\u00e9mu n\u00e1r\u016fstu n\u00e1klad\u016f na cloudov\u00e9 \u00falo\u017ei\u0161t\u011b kv\u016fli osi\u0159el\u00fdm, uzam\u010den\u00fdm objekt\u016fm.<\/p>\n Podnikov\u00e9 z\u00e1lohovac\u00ed platformy jako CloudSave tuto architekturu zjednodu\u0161uj\u00ed. CloudSave se nativn\u011b integruje s AWS S3 Object Lock, Azure Blob Immutable Storage a on-premises S3 kompatibiln\u00edmi API.<\/p>\n P\u0159i konfiguraci pl\u00e1nu z\u00e1lohov\u00e1n\u00ed datab\u00e1ze v CloudSave: Abyste zajistili, \u017ee va\u0161e nem\u011bnn\u00e1 architektura je skute\u010dn\u011b odoln\u00e1, dodr\u017eujte n\u00e1sleduj\u00edc\u00ed osv\u011bd\u010den\u00e9 postupy syst\u00e9mov\u00e9ho in\u017een\u00fdrstv\u00ed:<\/p>\n Nem\u011bnn\u00e9 z\u00e1mky jsou matematicky v\u00e1z\u00e1ny na \u010dasov\u00e1 raz\u00edtka. Pokud je slu\u017eba NTP (Network Time Protocol) na va\u0161em \u00falo\u017en\u00e9m poli nebo z\u00e1lohovac\u00edm serveru kompromitov\u00e1na nebo vykazuje odchylky, m\u016f\u017ee to zp\u016fsobit p\u0159ed\u010dasn\u00e9 vypr\u0161en\u00ed z\u00e1mk\u016f nebo jejich nefunk\u010dnost. Zajist\u011bte, aby va\u0161e \u00falo\u017en\u00e1 infrastruktura pou\u017e\u00edvala autentizovan\u00e9 a redundantn\u00ed zdroje NTP.<\/p>\n P\u0159ihla\u0161ovac\u00ed \u00fadaje pou\u017e\u00edvan\u00e9 pro z\u00e1pis do nem\u011bnn\u00e9ho bucketu mus\u00ed m\u00edt pouze opr\u00e1vn\u011bn\u00ed P\u0159\u00edklad IAM politiky s nejni\u017e\u0161\u00edmi privilegii pro agenta z\u00e1lohov\u00e1n\u00ed datab\u00e1ze:<\/p>\n Nenastavujte z\u00e1mky shody na p\u0159\u00edli\u0161 dlouhou dobu (nap\u0159. 7 let pro shodu) na va\u0161\u00ed prim\u00e1rn\u00ed vrstv\u011b pro rychlou obnovu. Datab\u00e1ze generuj\u00ed obrovsk\u00e9 mno\u017estv\u00ed WAL\/transak\u010dn\u00edch log\u016f. Uzam\u010den\u00ed t\u011bchto dat na roky povede k exponenci\u00e1ln\u00edmu r\u016fstu n\u00e1klad\u016f na \u00falo\u017ei\u0161t\u011b. Nem\u011bnnost zaru\u010duje, \u017ee data nelze smazat, ale nezaru\u010duje, \u017ee data neobsahuj\u00ed logick\u00e9 po\u0161kozen\u00ed. Mus\u00edte automatizovat obnovu sv\u00fdch nem\u011bnn\u00fdch datab\u00e1zov\u00fdch archiv\u016f do izolovan\u00e9ho, air-gapped VPC nebo VLAN. Spus\u0165te Obrana proti ransomwaru je cvi\u010den\u00edm v p\u0159edpokladu pr\u016fniku. V dob\u011b, kdy se ve va\u0161em SIEM spust\u00ed v\u00fdstraha, se \u00fato\u010dn\u00edci pravd\u011bpodobn\u011b ji\u017e pokusili kompromitovat va\u0161i z\u00e1lohovac\u00ed infrastrukturu. Architektura va\u0161ich datab\u00e1zov\u00fdch archiv\u016f pomoc\u00ed nem\u011bnn\u00e9ho \u00falo\u017ei\u0161t\u011b v re\u017eimu shody zbavuje \u00fato\u010dn\u00edky jejich hlavn\u00ed p\u00e1ky. A\u0165 u\u017e vyu\u017e\u00edv\u00e1te nativn\u00ed cloudov\u00e1 API, ZFS holdy nebo podnikovou orchestraci jako CloudSave, implementace WORM \u00falo\u017ei\u0161t\u011b ji\u017e nen\u00ed voliteln\u00e1 \u2013 je to povinn\u00fd pil\u00ed\u0159 modern\u00ed spr\u00e1vy datab\u00e1z\u00ed a obnovy po hav\u00e1rii.<\/p>\n","protected":false},"excerpt":{"rendered":" ** Learn how to protect enterprise database archives from ransomware using immutable storage. Discover technical implementation steps for AWS S3 Object Lock, ZFS, PostgreSQL, and SQL Server.<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"rank_math_title":"Immutable Database Storage to Defeat Ransomware","rank_math_description":"** Learn how to protect enterprise database archives from ransomware using immutable storage. Discover technical implementation steps for AWS S3 Object Lock, ZFS, PostgreSQL, and SQL Server.","rank_math_focus_keyword":"immutable database storage","footnotes":""},"categories":[383],"tags":[4570,4571,4572,1281,4573,4574],"class_list":["post-6360","post","type-post","status-publish","format-standard","hentry","category-database-backup","tag-3-2-1-1-backup","tag-data-survivability","tag-database-archives","tag-enterprise-backup","tag-immutable-storage","tag-ransomware-protection"],"yoast_head":"\nMechanismus nem\u011bnn\u00e9ho \u00falo\u017ei\u0161t\u011b<\/h2>\n
Re\u017eim shody (Compliance Mode) vs. Re\u017eim spr\u00e1vy (Governance Mode)<\/h3>\n
\n
s3:BypassGovernanceRetention<\/code>) v\u0161ak mohou z\u00e1mek obej\u00edt. To je u\u017eite\u010dn\u00e9 pro testov\u00e1n\u00ed, ale nedostate\u010dn\u00e9 pro ochranu p\u0159ed ransomwarem<\/strong>, proto\u017ee \u00fato\u010dn\u00edci \u010dasto eskaluj\u00ed sv\u00e1 opr\u00e1vn\u011bn\u00ed na \u00farove\u0148 dom\u00e9nov\u00e9ho administr\u00e1tora nebo roota.<\/li>\nN\u00e1vrh nem\u011bnn\u00e9 z\u00e1lohovac\u00ed pipeline<\/h2>\n
.mdf<\/code>\/.ldf<\/code> v SQL Serveru nebo adres\u00e1\u0159 pg_data<\/code> v PostgreSQL), proto\u017ee datab\u00e1ze vy\u017eaduj\u00ed neust\u00e1l\u00fd p\u0159\u00edstup pro \u010dten\u00ed a z\u00e1pis.<\/p>\n
\n1. Soubory \u00fapln\u00fdch a rozd\u00edlov\u00fdch z\u00e1loh:<\/strong> Z\u00e1kladn\u00ed sn\u00edmky datab\u00e1ze.
\n2. Transak\u010dn\u00ed logy \/ WAL soubory:<\/strong> Kontinu\u00e1ln\u00ed proud datab\u00e1zov\u00fdch zm\u011bn pot\u0159ebn\u00fd pro obnovu k ur\u010dit\u00e9mu bodu v \u010dase (Point-in-Time Recovery \u2013 PITR).<\/p>\nC\u00edlov\u00e1 \u00falo\u017ei\u0161t\u011b pro nem\u011bnnost<\/h3>\n
\n* Cloudov\u00e9 objektov\u00e9 \u00falo\u017ei\u0161t\u011b:<\/strong> AWS S3 Object Lock, Azure Blob Immutable Storage, reten\u010dn\u00ed politiky Google Cloud Storage.
\n* On-premises objektov\u00e9 \u00falo\u017ei\u0161t\u011b:<\/strong> MinIO, Cloudian nebo Pure Storage FlashBlade s podporou S3 Object Lock API.
\n* Blokov\u00e9\/souborov\u00e9 \u00falo\u017ei\u0161t\u011b:<\/strong> ZFS se sn\u00edmky (snapshots) pouze pro \u010dten\u00ed a delegovanou spr\u00e1vou nebo atributy soubor\u016f v Linuxu.<\/p>\nImplementace nem\u011bnn\u00e9ho \u00falo\u017ei\u0161t\u011b: Technick\u00e9 n\u00e1vody<\/h2>\n
1. Cloudov\u00e9 objektov\u00e9 \u00falo\u017ei\u0161t\u011b: AWS S3 Object Lock<\/h3>\n
aws s3api create-bucket \n --bucket prod-db-archive-immutable \n --region us-east-1 \n --object-lock-enabled-for-bucket\n<\/code><\/pre>\naws s3api put-object-lock-configuration \n --bucket prod-db-archive-immutable \n --object-lock-configuration '{\n "ObjectLockEnabled": "Enabled",\n "Rule": {\n "DefaultRetention": {\n "Mode": "COMPLIANCE",\n "Days": 30\n }\n }\n }'\n<\/code><\/pre>\nRetain Until Date<\/code> na z\u00e1klad\u011b \u010dasov\u00e9ho raz\u00edtka vytvo\u0159en\u00ed objektu plus 30 dn\u00ed.<\/p>\n2. On-premises nem\u011bnnost: ZFS a atributy Linuxu<\/h3>\n
chattr<\/code> nebo skute\u010dn\u00e9 nem\u011bnnosti pomoc\u00ed ZFS snapshot\u016f.<\/p>\nchattr<\/code>:<\/strong>
\nP\u0159\u00edznak +i<\/code> (immutable) zabra\u0148uje \u00faprav\u011b, smaz\u00e1n\u00ed nebo p\u0159ejmenov\u00e1n\u00ed souboru.<\/p>\n# Dump datab\u00e1ze\npg_dump -U postgres -Fc mydb > \/backups\/mydb_$(date +%F).dump\n\n# Nastaven\u00ed nem\u011bnnosti z\u00e1lohy\nsudo chattr +i \/backups\/mydb_$(date +%F).dump\n\n# Ov\u011b\u0159en\u00ed atributu\nlsattr \/backups\/mydb_$(date +%F).dump\n# V\u00fdstup: ----i---------e------- \/backups\/mydb_2023-10-27.dump\n<\/code><\/pre>\nchattr<\/code> zastav\u00ed z\u00e1kladn\u00ed skripty ransomwaru, sofistikovan\u00fd \u00fato\u010dn\u00edk s root p\u0159\u00edstupem m\u016f\u017ee jednodu\u0161e spustit chattr -i<\/code>. Proto mus\u00ed b\u00fdt toto \u0159e\u0161en\u00ed kombinov\u00e1no s p\u0159\u00edsn\u00fdm RBAC a izolovan\u00fdmi z\u00e1lohovac\u00edmi s\u00edt\u011bmi.<\/em><\/p>\n
\nZFS poskytuje mnohem siln\u011bj\u0161\u00ed obranu. Vytvo\u0159en\u00edm sn\u00edmku a nastaven\u00edm \u201ehold\u201c (podr\u017een\u00ed) zabr\u00e1n\u00edte jeho smaz\u00e1n\u00ed.<\/p>\n# Vytvo\u0159en\u00ed sn\u00edmku z\u00e1lohovac\u00edho datasetu\nzfs snapshot tank\/db_backups@archive_$(date +%F)\n\n# Nastaven\u00ed hold na sn\u00edmek pro zabr\u00e1n\u011bn\u00ed smaz\u00e1n\u00ed\nzfs hold keep_30_days tank\/db_backups@archive_$(date +%F)\n\n# Ani root nem\u016f\u017ee tento sn\u00edmek smazat bez uvoln\u011bn\u00ed hold\nzfs destroy tank\/db_backups@archive_$(date +%F)\n# V\u00fdstup: cannot destroy 'tank\/db_backups@archive_...': dataset is busy\n<\/code><\/pre>\nStrategie archivace specifick\u00e9 pro datab\u00e1ze<\/h2>\n
Archivace PostgreSQL WAL pomoc\u00ed pgBackRest<\/h3>\n
pgBackRest<\/code> je vysoce spolehliv\u00fd n\u00e1stroj pro z\u00e1lohov\u00e1n\u00ed PostgreSQL, kter\u00fd nativn\u011b podporuje S3 kompatibiln\u00ed \u00falo\u017ei\u0161t\u011b. Pro ochranu sv\u00fdch Write-Ahead Logs (WAL) nakonfigurujte pgBackRest<\/code> tak, aby je odes\u00edlal p\u0159\u00edmo do va\u0161eho nem\u011bnn\u00e9ho S3 bucketu.<\/p>\npgbackrest.conf<\/code>:<\/p>\n[global]\nrepo1-type=s3\nrepo1-s3-bucket=prod-db-archive-immutable\nrepo1-s3-region=us-east-1\nrepo1-s3-endpoint=s3.amazonaws.com\nrepo1-s3-key=AKIAIOSFODNN7EXAMPLE\nrepo1-s3-key-secret=wJalrXUtnFEMI\/K7MDENG\/bPxRfiCYEXAMPLEKEY\n\n# Zajist\u011bte, aby retence odpov\u00eddala va\u0161\u00ed konfiguraci S3 Object Lock\nrepo1-retention-full=2\nrepo1-retention-archive=2\n\n[prod_cluster]\npg1-path=\/var\/lib\/postgresql\/14\/main\n<\/code><\/pre>\npgBackRest<\/code> se pokus\u00ed vypr\u0161et platnost a smazat WAL soubory po 14 dnech na z\u00e1klad\u011b repo1-retention-archive<\/code>, vol\u00e1n\u00ed API pro smaz\u00e1n\u00ed sel\u017eou. Mus\u00edte zajistit, aby reten\u010dn\u00ed politika va\u0161eho z\u00e1lohovac\u00edho softwaru byla v\u011bt\u0161\u00ed nebo rovna nem\u011bnn\u00e9mu z\u00e1mku na \u00farovni \u00falo\u017ei\u0161t\u011b.<\/p>\nMicrosoft SQL Server: Z\u00e1lohov\u00e1n\u00ed na URL<\/h3>\n
.bak<\/code> a .trn<\/code> p\u0159\u00edmo do nem\u011bnn\u00e9ho bucketu.<\/p>\nCREATE CREDENTIAL [s3:\/\/prod-db-archive-immutable.s3.us-east-1.amazonaws.com]\nWITH IDENTITY = 'S3 Access Key',\nSECRET = 'AccessKeyID:SecretAccessKey';\nGO\n\nBACKUP DATABASE [ProductionDB]\nTO URL = 's3:\/\/prod-db-archive-immutable.s3.us-east-1.amazonaws.com\/ProductionDB_Full.bak'\nWITH FORMAT, COMPRESSION, STATS = 10;\nGO\n<\/code><\/pre>\nAutomatizace a orchestrace s CloudSave<\/h2>\n
\n1. Platforma automaticky \u0159e\u0161\u00ed quiescence VSS (Volume Shadow Copy Service) pro SQL Server nebo API pg_start_backup()<\/code> pro PostgreSQL.
\n2. Streamuje deduplikovan\u00e1 a za\u0161ifrovan\u00e1 z\u00e1lohovan\u00e1 data p\u0159\u00edmo do c\u00edlov\u00e9ho \u00falo\u017ei\u0161t\u011b.
\n3. CloudSave dynamicky aplikuje WORM API vol\u00e1n\u00ed (nap\u0159. PutObjectRetention<\/code>) na \u00farovni jednotliv\u00fdch objekt\u016f, \u010d\u00edm\u017e dokonale slad\u00ed dobu trv\u00e1n\u00ed z\u00e1mku \u00falo\u017ei\u0161t\u011b s reten\u010dn\u00edm pl\u00e1nem definovan\u00fdm politikou.
\n4. Pokud \u00fato\u010dn\u00edk kompromituje konzoli pro spr\u00e1vu CloudSave, st\u00e1le nem\u016f\u017ee smazat z\u00e1lohy, proto\u017ee z\u00e1mek shody je vynucen z\u00e1kladn\u00ed infrastrukturou \u00falo\u017ei\u0161t\u011b, nikoliv z\u00e1lohovac\u00edm softwarem.<\/p>\nOsv\u011bd\u010den\u00e9 postupy pro nem\u011bnn\u00e9 datab\u00e1zov\u00e9 archivy<\/h2>\n
1. P\u0159\u00edsn\u00e1 synchronizace NTP<\/h3>\n
2. Izolace IAM rol\u00ed a p\u0159ihla\u0161ovac\u00edch \u00fadaj\u016f<\/h3>\n
s3:PutObject<\/code> a s3:PutObjectRetention<\/code>. Nikdy<\/strong> by nem\u011bly m\u00edt opr\u00e1vn\u011bn\u00ed s3:DeleteObject<\/code> nebo s3:PutBucketObjectLockConfiguration<\/code>.<\/p>\n{\n "Version": "2012-10-17",\n "Statement": [\n {\n "Effect": "Allow",\n "Action": [\n "s3:PutObject",\n "s3:GetBucketObjectLockConfiguration"\n ],\n "Resource": [\n "arn:aws:s3:::prod-db-archive-immutable",\n "arn:aws:s3:::prod-db-archive-immutable\/*"\n ]\n }\n ]\n}\n<\/code><\/pre>\n3. Nastaven\u00ed reten\u010dn\u00edho obdob\u00ed<\/h3>\n
\nM\u00edsto toho pou\u017eijte vrstven\u00fd p\u0159\u00edstup:
\n* Vrstva operativn\u00ed obnovy:<\/strong> 14 a\u017e 30 dn\u00ed nem\u011bnn\u00e9 retence pro \u00fapln\u00e9 z\u00e1lohy a logy.
\n* Vrstva dlouhodob\u00e9 archivace:<\/strong> M\u011bs\u00ed\u010dn\u00ed \u00fapln\u00e9 z\u00e1lohy p\u0159esunut\u00e9 do Glacier\/Deep Archive s Vault Lockem na 1\u20137 let.<\/p>\n4. Pravideln\u00e9 testov\u00e1n\u00ed obnovy v izolovan\u00fdch VPC<\/h3>\n
DBCC CHECKDB<\/code> (SQL Server) nebo pg_amcheck<\/code> (PostgreSQL) na obnoven\u00fdch datech pro ov\u011b\u0159en\u00ed struktur\u00e1ln\u00ed integrity.<\/p>\nZ\u00e1v\u011br<\/h2>\n